Merge pull request #3961 from Countly/SER-464-notes-widget-content-sanitize

ar2rsawseen · web-flow · commit e8fa8e061017 · 2023-02-21T19:20:43.000+02:00
[SER-464] sanitize html when creating updating widget
diff --git a/api/utils/common.js b/api/utils/common.js
@@ -2788,7 +2788,6 @@ common.sanitizeFilename = (filename, replacement = "") => {
  * @returns {string} sanitizedHTML - sanitized html content
  */
 common.sanitizeHTML = (html) => {
-
     const whiteList = {
         a: ["target", "title"],
         abbr: ["title"],
@@ -2887,20 +2886,34 @@ common.sanitizeHTML = (html) => {
         }
 
         const attributesRegex = /\b(\w+)=["']([^"']*)["']/g;
-
+        var doubleQuote = '"',
+            singleQuote = "'";
         let matches;
         let filteredAttributes = [];
         let allowedAttributes = Object.getOwnPropertyDescriptor(whiteList, tagName).value;
         let tagHasAttributes = false;
         while ((matches = attributesRegex.exec(tag)) !== null) {
             tagHasAttributes = true;
+            let fullAttribute = matches[0];
             let attributeName = matches[1];
             let attributeValue = matches[2];
             if (allowedAttributes.indexOf(attributeName) > -1) {
-                filteredAttributes.push(`${attributeName}="${attributeValue}"`);
+
+                var attributeValueStart = fullAttribute.indexOf(attributeValue);
+                if (attributeValueStart >= 1) {
+                    var attributeWithQuote = fullAttribute.substring(attributeValueStart - 1);
+                    if (attributeWithQuote.indexOf(doubleQuote) === 0) {
+                        filteredAttributes.push(`${attributeName}=${doubleQuote}${attributeValue}${doubleQuote}`);
+                    }
+                    else if ((attributeWithQuote.indexOf(singleQuote) === 0)) {
+                        filteredAttributes.push(`${attributeName}=${singleQuote}${attributeValue}${singleQuote}`);
+                    }
+                    else { //no quote
+                        filteredAttributes.push(`${attributeName}=${attributeValue}`);
+                    }
+                }
             }
         }
-        console.log("attributes", filteredAttributes);
         if (!tagHasAttributes) { //closing tag or tag without any attributes
             return tag;
         }
diff --git a/plugins/dashboards/api/api.js b/plugins/dashboards/api/api.js
@@ -1078,7 +1078,7 @@ plugins.setConfigs("dashboards", {
                 widget = params.qstring.widget || {};
 
             try {
-                widget = JSON.parse(widget);
+                widget = JSON.parse(common.sanitizeHTML(widget));
             }
             catch (SyntaxError) {
                 log.d('Parse widget failed', widget);
@@ -1157,7 +1157,7 @@ plugins.setConfigs("dashboards", {
                 widget = params.qstring.widget || {};
 
             try {
-                widget = JSON.parse(widget);
+                widget = JSON.parse(common.sanitizeHTML(widget));
             }
             catch (SyntaxError) {
                 log.d('Parse widget failed', widget);
